--with-vfs and ACLs problem
AEsh at tricord.com
Thu Jun 20 15:32:02 GMT 2002
Helpful info to answer Mr. Sharpe's questions:
To find the domain SID of any domain controller:
rpcclient //ip-or-netbios-name-of-domain-controller -U
DOMAIN+Username%password -c lsaquery
To find the MACHINE SID of the Samba server:
(keep hitting return until you see the key
(convert the second through seventh 32-bit words of the key's value
into decimal and pre-pend "S-1-")
For example, the secrets.tdb entry:
key 17 bytes
 53 45 43 52 45 54 53 2F 53 49 44 2F 50 4C 55 54 SECRETS/ SID/PLUT
 4F O
data 68 bytes
 01 04 00 00 00 00 00 05 15 00 00 00 69 87 68 E6 ........ ....i.h.
 0C C7 2C 3B 06 A9 51 9D 00 00 00 00 00 00 00 00 ..,;..Q. ........
(Remeber it's little-endian, so the hex number to convert for the third word
From: Richard Sharpe [mailto:rsharpe at ns.aus.com]
Sent: Thursday, June 20, 2002 6:07 PM
To: Nir L
Cc: esteadle at spinnakernet.com; samba-technical at samba.org
Subject: Re: --with-vfs and ACLs problem
On Thu, 20 Jun 2002, Nir L wrote:
> The problem is, that my Client Workstations are displaying correct account
names when looking for ACL's of files of all the NT servers in the DOMAIN.
The Client has no problem with that. It has problem when trying to translate
SID's of the DOMAIN that were created by Samba.
> So - My guess is that after all the problem is with the samba creating the
SID's and not with the clients or the PDC. Maybe something on the ACL that
is returned makes the client NOT requesting for more info from the PDC.
> But - I don't know what it is...
Are you working in a domain trusts environment?
Prior to 2.2.4, I think, Samba was doing silly things when constructing
the token for a user just logging on. It was using its own DOMAIN SID and
the RID from the incoming token, rather than the DOMAIN SID of the domain
they authenticated in.
This could create some silly problems.
The other thing that might be happening, depending on your code, is that
the user's local SID might be used, and if you are not using winbindd,
this might not be being handled properly.
What do the SIDs look like? Can you relate them to the machine SID for
Samba or the DOMAIN SID for your domain?
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the samba-technical